Miscellaneous

Question 1

What is Measurable Security ?

Answer 1

“All aspects of security mechanisms function, provide a clear benefit, & have metrics that can be recorded & analyzed.”

Question 2

What ensures proper creation, implementation, & enforcement of a security policy?

Answer 2

Security Management Planning

Question 3

Which kind of approach to building security policy is generally frowned upon by experts?

Answer 3

A bottom-up approach.

Question 4

What are some elements of Threat Mode Diagrams ?

Answer 4

• Trust Boundaries
• Dataflow Paths
• Input Points
• Privileged Operations
• Details about Security Stance/Approach

Question 5

What is DREAD ?

Answer 5

Rating for threats: Disaster, Reproducibility, Exploitability, Affected Assets, Discoverability).

Question 6

What is the focus of Risk Assessment ?

Answer 6

Assets, and potential loss of or damage to assets.

Question 7

What are three Threat Modeling approaches?

Answer 7

• Focused on Assets
• Focused on Attackers
• Focuses on Software

Question 8

What is STRIDE ?

Answer 8

Microsoft Threat Model.
- Spoofing
- Tampering
- Repudiation
- Info Disclosure
- DoS
- Elevation of Privileges

Question 9

What is PASTA ?

Answer 9

Risk-centric Threat Model
Stage 1: Definition of objectives (DO)
Stage 2: Define Tech Scope (DTS)
Stage 3: App Decomposition & Analysis (ADA)
Stage 4: Threat Analysis (TA)
Stage 5: Weakness & Vulnerability Analysis (WVA)
Stage 6: Attack Modeling & Simulation (AMS)
Stage 7: Risk Analysis & Management (RAM)

Question 10

What is VAST ?

Answer 10

Visual, Agile, & Simple Threat Modeling

Question 11

Differentiate Due Diligence & Due Care

Answer 11

Due Diligence is planning
Due Care is doing

Question 12

What is a Security Policy ?

Answer 12

Overview/Generalization of an organization’s security needs. Covers:
- Scope of the security needed
- Assets that need protection
- Extent to which security should go to protect assets
Security Policies are required to show due diligence.

Question 13

What are COBIT’s Six Principles?

Answer 13

1. Provide Stakeholder Value
2. Use a holistic approach
3. Have a dynamic governance system
4. Keep governance separate from management
5. Tailor security to enterprise needs
6. Use an end-to-end governance system

Question 14

List some security frameworks

Answer 14

• NIST 800-53 rev5 (Security & Privacy Controls for Information Systems and Organizations)
• CIS (Center for Internet Security)
• NIST Risk Management Framework (RMF)
• NIST CSF (Cybersecurity Framework)
• ISO 27000 series
• ITIL (from the British Government)

Question 15

Who should lead an InfoSec Team?

Answer 15

A CISO.

Question 16

What is the key to any security plan?

Answer 16

Approval by Senior Management

Question 17

What are the three levels of security planning?

Answer 17

Strategic, Tactical, Operational

Question 18

What are some steps in reviewing potential security integration partners?

Answer 18

• On-site assessment
• Document Exchange & Review
• Process Policy Review
• 3rd-party audit

Question 19

What document from partners/vendors goes into your SLA?

Answer 19

SLR (Service Level Reporting)

Question 20

What is COBIT ?

Answer 20

Control Objectives for Information & Related Technology (From ISACA, the Information Systems Audit & Control Association)

Question 21

What are the sections of the CISSP Exam?

Answer 21

• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management (IAM)
• Security Assessment and Testing
• Security Operations
• Software Development Security